Overview
Blumira’s modern cloud SIEM platform integrates with Linux Journald to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.
When configured, the Blumira integration with Journald will stream security event logs to the Blumira service for automated threat detection and actionable response.
Before you begin
Before configuring log forwarding for Linux JournalId, you must set up log ingestion for the Linux Operating System. See Integrating with Linux OS.
Configuring log forwarding for Linux Journald
Open /etc/systemd/journald.conf
with sudo and your preferred editor, and change the option ForwardToSyslog to yes. It should look like ForwardToSyslog=yes.
sudo vim /etc/systemd/journald.conf
No other options need to be changed in the journald configuration for log forwarding. The journald events will now flow into the rsyslogd syslog socket.
Save the file and restart the systemd-journald service on the machine.
Note: Reload can be used in place of restart if there is a particular need to avoid restarting the journald service entirely.
systemctl restart systemd-journald
At this point the configuration is complete. The logs can be also be found in /var/log/messages
(or similar catchall log file on your OS) with the journal namespace. The Blumira configuration in /etc/rsyslog.d/
that is handling linux log forwarding will automatically forward the logs.